US20250379735A1
Quantum-Resistant Password-Authenticated Key Exchanges
Publication
Application
Classifications
IPC Classifications
CPC Classifications
Applicants
Apple Inc.
Inventors
Jelle V. Vos, Yannick L. Sierra, Catherine Yun, Steven A. Myers
Abstract
Techniques are disclosed relating to quantum resistant cryptography. In some embodiments, a shared secret is established for secure communication between a first device and a second device using a hybrid password-authenticated key exchange (PAKE). The hybrid PAKE includes deriving an initial secret using an elliptic-curve key exchange (ECKE) using a generator selected based on a password, encrypting, using the initial secret, a public key of a key encapsulation mechanism (KEM) for transmission to the second device, decrypting, using the initial secret, a ciphertext received from the second device encapsulating the shared secret using the public key, and decapsulating the shared secret from the decrypted ciphertext using a private key of the KEM.
Figures
Description
[0001]The present application claims priority U.S. Prov. Appl. No. 63/709,786, entitled “Quantum-Resistant Password-Authenticated Key Exchanges,” filed Oct. 21, 2024, and to U.S. Prov. Appl. No. 63/657,668, entitled “Quantum-Resistant Password-Authenticated Key Exchanges,” filed Jun. 7, 2024, which is incorporated by reference herein in its entirety.
BACKGROUND
Technical Field
[0002]This disclosure relates generally to cryptography, and, more specifically, to computing devices that implement quantum-resistant cryptographic algorithms.
Description of the Related Art
[0003]Quantum computers pose a significant threat to existing asymmetric cryptographic algorithms because they can solve certain mathematical problems much more efficiently than classical computers, by leveraging quantum phenomena such as superposition and entanglement for parallel processing. Traditional public-key cryptography has relied on computational difficulty of particular problems. For instance, Rivest-Shamir-Adleman (RSA) encryption relies on the property that multiplying two large prime numbers is easy but factoring them is hard for classical computers. With Shor's Algorithm, however, quantum computers can efficiently factor large integers, rendering RSA and other asymmetric encryption schemes insecure. This looming vulnerability has driven the development of quantum-resistant cryptography, aiming to safeguard information in the post-quantum era.
BRIEF DESCRIPTION OF THE DRAWINGS
[0004]
[0005]
[0006]
[0007]
[0008]
[0009]
[0010]
DETAILED DESCRIPTION
[0011]Symmetric encryption using a shared key can allow for efficient secure communication between two parties and is not affected by Shor's algorithm. Asking a user to remember a symmetric key by heart or to type one in manually, however, is impractical. Password-authenticated key exchanges (PAKEs) provide a way for users to establish a strong shared key from a low-entropy password instead, without requiring additional cryptographic keys to be exchanged or stored. This property makes PAKEs particularly useful in scenarios where key exchange is difficult or impractical, such as when users need to authenticate with a server before negotiating a secure connection. Nevertheless, since current PAKEs depend on conventional asymmetric cryptography, they are vulnerable to Shor's algorithm.
[0012]The present disclosure describes various embodiments of quantum-resistant/post-quantum PAKEs used to secure communication between computing devices. As will be described below in some embodiments, a shared secret can be established for securing communication between a first device and a second device by using one of multiple hybrid password-authenticated key exchanges (PAKEs) in which a pre-quantum key exchange, such as an elliptic-curve key exchange, is used to wrap a post-quantum key exchange mechanism (KEM), such as a Module-Lattice based Key-Encapsulation Mechanism (ML-KEM). In some embodiments discussed below, a quantum resistant PAKE can be transformed into an augmented password-authenticated key exchange (APAKE), which can provide greater security, by using a persisted public key generated by a KEM based on a password. Various other techniques will also be discussed to improve the security of quantum-resistant PAKES.
[0013]Turning now to
[0014]Devices 100 may correspond to any suitable computing devices/systems. In some embodiments, one or both of devices 100 are mobile devices such as a mobile phone, tablet computer, handheld computer, music player, laptop or notebook computer, personal data assistant (PDA), consumer device, etc. In some embodiments, one or both of devices 100 are an internet of things (IoT) device, server system, desktop computer, mainframe computer system, workstation, network computer, etc. In some embodiments, one or both of devices 100 are a wearable device such as a watch, athletic sensor, or a head mounted display, which may be a headset, helmet, goggles, glasses, a phone inserted into an enclosure, etc. In some embodiments, one or both of devices 100 are a vehicle such as an aircraft, marine vessels, recreational vehicles (RVs), automobiles, buses, railed vehicles, spacecraft, robotic devices, trucks, trailers, cranes, caterpillars, etc. Although the relationship of devices 100A and 100B is shown as a server client relationship in the illustrated embodiment, devices 100 may be peer devices in other embodiments.
[0015]Devices 100 may use a quantum-resistant PAKE 120 for any of various purposes. For example, PAKE 120 may be used for device pairing/bonding such as associating a device 100A to a user account maintained by device 100B, device 100A presenting content on a display of device 100B, device 100A using device 100B as an accessory, etc. PAKE 120 may be used to establish a shared secret 122 for end-to-end encryption of messages between devices 100, which may include text messages, emails, push notifications, etc. User device 100A may perform PAKE 120 for remote access to server device 100B, such as to establish a virtual private network (VPN) tunnel, secure shell (SSH) session, or remote desktop (RDP) connection. Devices 100 may use PAKE 120 for performing a file transfer via the secure communication encrypted using the shared secret such as migrating data from device 100A to device 100B. Devices 100 may use PAKE 120 to provide end-to-end encryption for Voice over Internet Protocol (VOIP) communications to ensure that voice conversations remain private and secure. In some embodiments, server device 100B is a Wi-Fi® access point that user device 100A connects to using PAKE 120. In some embodiments, server device 100B implements a cloud-based service accessible to device 100A, which uses a PAKE 120 to authenticate and establish a secure communication 140 via Transport Layer Security (TLS), Hypertext Transfer Protocol Secure (HTTPS), etc. User data stored on the cloud-based service may also be protected using PAKE 120.
[0016]In the illustrated embodiment, devices 100 implement a quantum-resistant PAKE 120 via cryptographic modules 110, which are software, hardware, or combination operable to perform a quantum-resistant PAKE 120. As will be discussed, modules 110 may perform PAKE 120 using a KEM, which is quantum resistant. In some embodiments, the KEM is a lattice-based KEM and may be based on a learning with errors (LWE) algorithm. For example, the KEM may be an ML-KEM such as Kyber, which is part of the Cryptographic Suite for Algebraic Lattices (CRYSTALS). Other KEM examples may include New Hope, Sike, FrodoKEM, NTRU, Saber, etc. Because these KEMs are still being evaluated to assess reliability, quantum-resistant PAKE 120 may be implemented as a hybrid algorithm in which a pre-quantum key exchange is used with a post quantum KEM, so that PAKE 120 is, at least, as secure as the pre-quantum key exchange. As will be discussed with
Hybrid PAKEs
[0017]Turning now to
[0018]As shown, ECKE 202 may begin with user cryptographic module 110A in user device 100A selecting a generator 210A on an elliptic curve based on password 112A while server cryptographic module 110B in user device 100A selects a generator 210B on the elliptic curve based on password 112B. This elliptic curve may correspond to any suitable curve such as Curve25519, Curve448, etc. In various embodiments, modules 110 select a generator 210 based on a password 112 by performing a hash-to-curve map of the password 112. Assuming both passwords 112A and 112B are the same, modules 110 now possess the same selected generator 210. Modules 110 may then select respective elliptic curve (EC) private keys 212A and 212B and multiply them by generators 210 to produce respective EC public keys 214A and 212B. After exchanging EC public keys 214, each module 110 performs a key derivation function (KDF) 220 using its EC private key 212 and the other module 110's exchanged EC public key 214 to produce an initial secret 222. In various embodiments, KDF 220 is an application of elliptic-curve Diffie-Hellman (ECDH). This initial secret 222 may then be used to secure the post-quantum KEM 204 exchange.
[0019]Post-quantum KEM 204 may begin with server module 110B generating a KEM public key pair including a KEM public key 232 and a KEM private key 234. In various embodiments, this is performed using a generation function defined by the KEM such as ML-KEM/Kyber.CPA.KeyGen( ) in embodiments in which ML-KEM/Kyber is being used as the KEM or ML-BUKEM.KeyGen( ) as will be discussed below. Server module 110B then performs an encryption 230 of the KEM public key 232 using its derived initial secret 222 and provides the encrypted KEM public key 232 to user module 110A. In response, user module 110A performs a decryption 240 of the encrypted KEM public key 232 using its derived initial secret 222. In various embodiments, encryption 230 and decryption 240 are performed using a symmetric block cipher such as Advanced Encryption Standard (AES).
[0020]Once module 110A possess the decrypted KEM public key 232, user module 110A performs an encapsulation 250 of KEM public key 232, which produces a ciphertext 252 and a key. In various embodiments, this is performed using an encapsulation function defined by the KEM such as ML-KEM/Kyber.Encaps( ) in embodiments in which ML-KEM/Kyber is being used as the KEM or ML-BUKEM.Encaps( ) as will be discussed below. In some embodiments, the key output from encapsulation 250 may be used as shared secret 122, which may be used to encrypt communication 140. In other embodiments discussed below, this key may undergo further processing to produce shared secret 122, which may be used to derive one or more additional keys used to encrypt communication 140. As used herein, “using” a cryptographic key to decrypt or encrypt broadly includes 1) decrypting and encrypting with that key, 2) using that key as key material to derive one or more additional keys used to decrypt or encrypt, or 3) using that key to decrypt or encrypt another key used to perform encryption or decryption. Module 110A provides the resulting ciphertext 252 of the encapsulation 250 to module 110B, which performs a decapsulation 260 using the ciphertext 252 and its KEM private key 234. In various embodiments, this is performed using a decapsulation function defined by the KEM such as ML-KEM/Kyber.Decaps( ) or ML-BUKEM.Decaps( ) as will be discussed below. In some embodiments, the key output from decapsulation 260 may be used as shared secret 122; in other embodiments, however, this key may undergo further processing to produce shared secret 122. Post-quantum KEM 204 may also include performance of operations discussed below with
[0021]Examples of hybrid PAKEs that implement the general flow PAKE 200 will now be discussed.
[0022]Turning now to
[0023]PAKE 200A begins in the initial ECKE 202 portion with user module 110A selecting a generator G 210A based on password pwu 112A by performing a hash-to-curve map HG of a shared session identifier (SSID), password pwu 112A, a user identity U, and a server identity S. Module 110A selects a private key a 212A and multiplies it by generator G to produce public key A 214A, which is provided to server module 110B. Server module 110B similarly selects a generator G′ using a hash-to-curve map HG of the SSID, its password pws 112B, U, and S. Server module 110B selects a private key b 212B and multiplies it with G′ to determine a corresponding public key B 214B. Service module 110B performs a KDF 220 that includes performing ECDH using A and b to produce a key K. KDF 220 further includes an encryption hash HE of the SSID, A, B, and K to produce SK1 corresponding to initial secret 222.
[0024]PAKE 200A continues in the post-quantum KEM 204 portion with the server module 110B generating a KEM public key pk 232 and a corresponding KEM private/secret key sk 234. Service module 110B performs an encryption 230 including a first encryption of the public key pk using the SSID concatenated with the server password pws as the encryption key to produce an encrypted KEM public key Epk. Server module 110B then performs a second encryption of Epk with the SK1, as part of encryption 230, to produce doubly encrypted Epk. Server module 110B then provides its EC public key B and doubly encrypted Epk to user module 110A.
[0025]The ECKE 202 portion completes with user module 110A performing KDF 220 using its private key a and the received public key B to produce a key K′, which is hashed as discuss above to produce initial secret SK′1 222. User module 110A then performs a decryption 240, which includes a first decryption of Epk using SK×1 and second decryption of Epk using the SSID concatenated with its password pwu to produce decrypted pk′.
[0026]PAKE 200B resumes the post-quantum KEM 204 portion with user module 110A performing an encapsulation 250 using pk′ to produce a ciphertext c 252 and key k. User module 110A performs a key confirmation hash Hkc of the SSID, U, S, pwu, Epk, c, and k to produce a hash value H, which is divided into hash value h1, hash value h2, and shared secret SK2 122. User module 110A encrypts the ciphertext c and hash h1 using SK′1 and sends them over to server module 110B.
[0027]Server module 110B decrypts the ciphertext c and hash h1 using SK1 and performs a decapsulation 260 using the ciphertext and private key sk to extract a key k. Server module 110B hashes the SSID, U, S, pws, Epk, c, and k to produce a hash value H′, which is divided into hash value h1′, hash value h2, and shared secret SK′2 122. Server module 110B then compares its h1′ to the decrypted h1 and outputs SK′2 if they match indicating both sides input the same passwords 112.
[0028]Turning now to
[0029]In some embodiments, PAKE 200B may conclude with h2 being provided back to the user device 100A for a comparison with its local copy of h2 as shown in
[0030]Turning now to
[0031]A proof of a cryptographic algorithm based on ideal ciphers can be considered less secure than one based on random oracles due to the inherent differences in their theoretical models. Ideal ciphers are a more restrictive and specific model, representing a perfect block cipher with fixed input and output lengths. This model does not capture the full range of possible cryptographic functions and can be more susceptible to certain types of attacks. On the other hand, the random oracle model assumes the existence of a truly random function that provides a broader and more flexible abstraction, making it a stronger and more versatile foundation for security proofs. This flexibility allows for a wider range of cryptographic constructions and more robust security guarantees, as it better approximates the behavior of real-world cryptographic functions. Consequently, proofs based on random oracles can be seen as providing a higher level of security assurance.
[0032]In the illustrated embodiment, initial ECKE 202 portion of PAKE 200D can be implemented in a similar manner as discussed with PAKES 200A-C. After server device 100B provides Epk to user device 100A, device 100A similarly performs a hash 221 of the SSID, the user password pwu, and SK′1 to produce r′1, which is used in a decryption 240 that is also using OTP by performing an XOR of r1 and Epk to produce pk′. An encapsulation 250 of the pk′ is performed to produce a ciphertext c and key k. In some embodiments, encapsulation 250 (as well as the key generation and decapsulation 260) is performed using a UKEM such as discussed below. Another hash H2 of the SSID, pwu, SK′1, and Epk is performed to produce a hash value result r2. The ciphertext c is then encrypted using r2 via OTP to produce an encrypted ciphertext Ec, which is provided to server device 100B. User device 100A may then derive shared secret SK2 by hashing the SSID, the user identity U, the server identity S, Epk, Ec, k, pwu, and SK′1.
[0033]In response to receiving encrypted ciphertext Ec, server device 100B determines r′2 by performing hash H2 using the SSID, pws, SK1, and Epk. Ec is then decrypted using r′2 via OTP. Server device 100B performs a decapsulation 260 of ciphertext c′ using the corresponding secret key sk to produce key k′. Server device 100B then similarly derives shared secret SK′2 by hashing the SSID, the user identity U, the server identity S, Epk, Ec, k′, pwu, and SK1.
[0034]In some embodiments, PAKE 200D further includes user device 100A generating hash values h1 and h2 from SK2 and providing h1 to server device 100B for a comparison with locally generated copy of h1 as shown in
Augmented PAKEs
[0035]In the hybrid PAKES 200 discussed above, server device 110B uses its password 112B as an input into the PAKE. Storing multiple passwords 112B, however, creates an additional vulnerability if these passwords 112 are ever compromised as they could allow an attacker to masquerade as a user device 100A. To avoid storing these passwords 112, a PAKE 120 may be transformed into an APAKE as will be discussed next.
[0036]Turning now to
[0037]As shown, APAKE 300 includes a user module 110A inputting a user password 112A into a KEM key generator 310, such as Kyber.CPA.KeyGen( ) to produce a persisted KEM public key 312 and a persisted KEM private key 314. During the initial performance of APAKE 300, server module 110B may perform the same inputting of its server password 112B into KEM key generator 310 to produce persisted KEM public key 312 and persisted KEM private key 314. Server module 110B stores persisted KEM public key 312 and uses it in lieu of storing password 112B. Accordingly, when APAKE 300 is performed again, server module 110B merely retrieves persisted KEM public key 312 and begins performing its portion of APAKE 300. Thus, if persisted KEM public key 312 is ever compromised, a malicious actor may know key 312 but is unable to easily determine password 112.
[0038]After retrieving persisted KEM public key 312, server module 110B performs an encapsulation 320, such as Kyber.Encaps( ) using the persisted KEM public key 312 to produce a ciphertext 322 and a key. Server module 110B provides this ciphertext 322 to user module 110A. User module 110A then performs a decapsulation 330, such as Kyber.Decaps( ) using ciphertext 322 and persisted KEM private key 314. In some embodiments, the keys output from encapsulation 320 and decapsulation 330 may be used as shared secret 122; in other embodiments, however, these keys may undergo further processing to produce shared secret 122 as will be discussed.
[0039]Examples of APAKEs that implement the general flow PAKE 300 will now be discussed.
[0040]Turning now to
[0041]APAKE 300A begins with user module 110A performing a password confirmation hash Hpwc of a salt s and password pwu 112A to produce a hash value d′. Module 110A inputs this hash value d′ into the key generator 310 to produce a persisted KEM public key pk′pw 312 and persisted KEM private key sk′pw 314. Module 110A also uses the generator 310 to produce an ephemeral public key pair pk, sk. Module 110A then encrypts the ephemeral public key pk using the SSID concatenated with the persisted public key pk′pw to produce an encrypted Epk provided to server module 110B.
[0042]In response to receiving Epk, Server module 110B retrieves a previously stored copy of a persisted KEM public key pkpw 312 and uses it and the SSID to decrypt Epk to produce decrypted pk′. Server module 110B performs an encapsulation using pk′ to produce a ciphertext c 317 and a key k. Server module 110B performs a key confirmation hash Hkc of the SSID, U, S, pkpw, Epk, c, and k to produce a hash value H, which is divided into hash value h1, hash value h2, and key SK. Server module 110B performs a second encapsulation 320 using pkpw to produce a ciphertext cpw 322 and a key kpw. Server module 110B performs a second key confirmation hash Hkc of U, S, the SSID, SK, cpw, and kpw to produce another hash value H, which is divided into hash value hpw,1, hash value hpw,2, and shared secret SKpw 122. Secure module 110B then uses SK to encrypt s, cpw, hpw,1 and send the encrypted values and the ciphertext c over to user module 110A.
[0043]User module 110A performs a decapsulation 325 using the ciphertext c and the ephemeral private key sk to produce a key k′. User module 110A performs a key confirmation hash Hkc of the SSID, U, S, pk′pw, Epk, c, and k′ to produce a hash value H′, which is divided into hash value h′1, hash value h′2, and key SK′. APAKE 300A is aborted if h1 and h′1 are not equal. User module 110A decrypts cpw and hpw,1 using SK′ and performs a decapsulation 330 using persisted private key sk′pw and cpw to the key k′pw. User module 110A performs a second key confirmation hash Hkc of U, S, the SSID, SK′, cpw, and k′pw to produce another hash value H′, which is divided into hash value h′pw,1, hash value h′pw,2, and shared secret SK′pw 122. APAKE 300A is aborted if hpw,1 and h′pw,1 are not equal. User module 110A then encrypts h′pw,2 using SK′ and a message m using SK′pw, which are sent over to server module 110B for verification.
[0044]Server module 110B decrypts h′pw,2 using SK and m using SKpw 122. APAKE 300A is aborted if hpw,2 and h′pw,2 are not equal. Otherwise, server module 110B outputs m and SKpw 122 for use in securing communication 140.
[0045]Turning now to
[0046]APAKE 300B begins with user module 110A performing a password confirmation hash Hpwc of a salt s and password pwu 112A to produce a hash value d′. Module 110A inputs this hash value d′ into the key generator 310 to produce a persisted KEM public key pk′pw 312 and persisted KEM private key sk′pw 314. User module 110A then performs an ECKE that includes selecting a generator G 350 based on a persisted KEM public key pk′pw 312 by performing a hash-to-curve map HG of the SSID, pk′pw, a user identity U, and a server identity S. User module 110A selects an EC private key a and multiplies it by the generator 350 to produce an EC public key A, which it provides to server module 110B.
[0047]Server module 110B retrieves its copy of the persisted KEM public key pkpw 312 and selects the same generator G′ 350 based on pkpw 312 by performing a hash-to-curve map HG of the SSID, pkpw, a user identity U, and a server identity S. Server module 110B selects an EC private key b and multiplies it by the generator 350 to produce an EC public key B. Server module 110B performs a KDF including an ECDH of A and b to produce a key K. Server module 110B then performs a generator hash Hg of the SSID, pkpw, A, B, and K to produce an initial secret SK1. Server module 110B generates an ephemeral KEM public key pk and a corresponding ephemeral KEM private/secret key sk. Server module 110B encrypts pk using SK1 to produce Epk, which is provided along with B to user module 110A.
[0048]User module 110A performs a KDF that includes an ECDH of a and B to produce a key K′ and performs a generator hash Hg of the SSID, pk′pw, A, B, and K′ to produce an initial secret SK′1. User module 110A decrypts Epk using SK′1 to produce pk′ and performs first encapsulation using pk′ to produce a ciphertext c and a key k. User module 110A performs a key confirmation hash Hkc of the SSID, U, S, pk′pw, Epk, c, and k to produce a hash value H, which is divided into hash value h1, hash value h2, and key SK2. Module 110A encrypts c concatenated with h1 using SK′1 and sends them over to server module 110B.
[0049]Server module 110B decrypts c and h1 using SK1 and performs a first decapsulation using c and ephemeral KEM private key sk to produce a key k′. Server module 110B performs a key confirmation hash Hkc of the SSID, U, S, pkpw, Epk, c, and k′ to produce a hash value H, which is divided into hash value h′1, hash value h′2, and key SK′2. APAKE 300B is aborted if h1 and h′1 are not equal. Server module 110B performs a second encapsulation 320 using pkpw 312 to produce a ciphertext cpw and a key kpw. Server module 110B performs a second key confirmation hash Hkc of U, S, the SSID, SK, cpw, and kpw to produce another hash value H, which is divided into hash value hpw,1, hash value hpw,2, and shared secret SKpw 122. Secure module 110B then uses SK′2 to encrypt cpw and hpw,1 and sends the encrypted them over to user module 110A.
[0050]User module 110A uses SK2 to decrypt cpw and hpw,1. User module 110A may regenerate pk′pw and sk′pw as discussed above and performs a second decapsulation 330 using sk′pw and cpw to produce k′pw. User module 110A performs a second key confirmation hash Hkc of U, S, the SSID, SK2, cpw, and k′pw to produce another hash value H′, which is divided into hash value h′pw,1, hash value h′pw,2, and shared secret SK′pw 122. APAKE 300A is aborted if hpw,1 and h′pw,1 are not equal. User module 110A then encrypts h′pw,2 using SK′ and a message m using SK′pw, which are sent over to server module 110B for verification.
[0051]Server module 110B decrypts h′pw,2 using SK and m using SKpw 122. APAKE 300A is aborted if hpw,2 and h′pw,2 are not equal. Otherwise, server module 110B outputs m and SKpw 122 for use in securing communication 140.
[0052]Turning now to
[0053]As shown, APAKE portion 360 begins with server device 100B performing an encapsulation 320 using pk 312 to produce a ciphertext c and key k. Server device 100B performs a hash Hkc of U, S, the SSID, SK′2, c, and k. Server device 100B separates out h1, h2, and SKout from the resulting hash value. Server device 100B performs a hash H3 of SK′2 to produce result/mask r3 and encrypts ciphertext c using r3 via OTP to produce Epwc, which is sent with h1 to user device 100A. User device 100A reproduces r′3 from hashing SK2 and decrypts c′ via OTP. User device 100A regenerates sk* and performs a decapsulation 330 of c′ using sk* to produce k*. User device 100A performs a hash Hkc of U, S, the SSID, SK2, c′, and k*. User device 100A separates h1*, h2*, and SK′out from the result and then performs a hash value comparison as in hybrid PAKE 200E discussed above.
Quantum Uniform Authenticated Key Exchanges (QUAKEs)
[0054]Some post-quantum KEMs, such as ML-KEM, perform a compression operation when generating KEM public key pairs and when performing a KEM encapsulation in order to reduce the sizes of the keys and the corresponding ciphertext. While these keys and ciphertext appear uniform when represented in integer form, this is not the case when the keys and ciphertext are converted to binary as performance of the compression operation includes multiple arithmetic operations performed modulo a prime number q, which is not close to a power of two (e.g., q being 3329 in ML-KEM). This bit-sequence non-uniformity is problematic as it causes the number of possible preimages to differ between compressed elements and causes the KEM to not be anonymous. It is also problematic as it can make the KEM keys distinguishable from random data, which can result in the KEM being insecure. A PAKE using such a KEM, however, can be modified to mitigate this issue as will be discussed.
[0055]Turning now to
[0056]As shown, QUAKE 400A can include user module 110A performing a UKEM key generation 402, such as UKEM.KeyGen( ) discussed with
[0057]To address the first issue with KEM key generation in the illustrated embodiment, UKEM.KeyGen( ) 402 has been modified to include a repacking operation 410 of public key pk, discussed with
[0058]To address the second issue with KEM encapsulation in the illustrated embodiment, UKEM.Encaps( ) 404 further includes a randomized decompression 450 of ciphertext c's elements, discussed with
[0059]Turning now to
[0060]Repacking 415 repacks elements of a KEM public key 412 received from a KEM generation into a base-q integer having an ordering such that a first element is the least significant and a last element is the most significant, the base-q integer now being within a first range of [0, q′) where q is the KEM's prime (e.g., 3329) and t is the elements in one integer. In some embodiments, repacking 415 uses Horner's method.
[0061]Addition 420 adds, to the repacked elements, a random multiple 422 of a maximum of the first range. If random multiple 422 is within a second range [0, m) (m being the maximum range of factor), then the resulting base-q integer is in the range [0, m·qt). m is chosen such that m·qt is within a particular threshold of a power of two. As a result, the binary encoding of the base-q integer is now very close to uniform. Thus, the second range is chosen such that a multiplication of a maximum of the first range [0, qt) and a maximum of the second range [0, m) is within the particular threshold of a power of two. In some embodiments, this particular threshold is defined as a threshold of 2−40: (<Next Power of two>−the multiplication result)/<Next Power of two><2−40.
[0062]While the binary encoding is already a sequence of bits that is close to uniform, padding 425 is performed to pad a result of the addition 420 to have a length equal to a multiple of a cipher block size associated with the KEM (e.g., 256 bits per block) to produce a repacked version of the public key 427. In particular, padding 425 appends b random bits to pad the sequence of bits until it reaches this correct length.
[0063]In embodiments in which the KEM is ML-KEM, a public key in ML-KEM includes k·n elements, k being the security parameter and n being the number of polynomial coefficients. At is chosen that divides this number, which allows the public key to be fully packed into k·n/t integers. After these steps 415-425, the bit length of a repacked public key λpk is t·[log2(k·n)]+b.
[0064]An example of a first algorithm implementing repacking operation 410 is depicted in
[0065]Turning now to
[0066]In the case of ML-KEM, ML-KEM's decompression takes in an element y E Z2
[0067]An example of a third algorithm implementing randomized decompression 450 is depicted in
[0068]Turning now to
[0069]Various ones of the PAKEs discussed above (or other suitable PAKEs) may incorporate operations 410-450. Two additional PAKEs including these features will now be discussed.
[0070]Turning now to
[0071]Turning now to
[0072]Accordingly, when QUAKE+ is performed again, server device 100B performs APAKE portion 450B in which device 100B performs an KEM encapsulation of pk to produce ciphertext c and key k. Device 100B performs a hash Hkc of U, S, the SSID, SK, c, and k. From this hash result, device 100B separates out h1, h2, and SKout to perform the hash comparison discussed above with KC-QUAKE. Server device 100B then performs a hash H3 of SK to produce r3, which used to encrypt ciphertext c via OTP to produce Epwc. Server device 100B sends Ec, Epwc, and h1 to user device 100A. Device 100A then decrypts Ec using OTP as discussed above with QUAKE 400A and decapsulates it to produce k′ and then SK′. User device 100A then performs a corresponding APAKA portion 450A in which r′3 is produced by performing a hash H3 of SK′ and decrypting Epwc using r′3 via OTP. User device 100A then regenerates sk* to decapsulate c′ to produce k*, which is hashed using Hkc as discussed to eventually produce SK′out as shared secret 122.
Methods
[0073]Turning now to
[0074]The hybrid PAKE begins in step 510, with deriving an initial secret (e.g., initial secret 222) using an elliptic-curve key exchange (ECKE) (e.g., ECKE 202) using a generator (e.g., generator 210B) selected based on a password (e.g., server password 112B). In step 520, the hybrid PAKE includes encrypting (e.g., via encryption 230), using the initial secret, a public key of a key encapsulation mechanism (KEM) for transmission to the second device. In various embodiments, the encrypting uses the initial secret and the password. In some embodiments, the encrypting includes a first encryption of the public key using the password and a second encryption of the public key using the initial secret. In some embodiments, the encrypting includes hashing the initial secret and the password to produce a hashed key and encrypting the public key using the hashed key. In step 530, the hybrid PAKE includes decrypting, using the initial secret, a ciphertext received from the second device encapsulating (e.g., encapsulation 250) the shared secret using the public key. In step 540, the hybrid PAKE includes decapsulating (e.g., decapsulation 260) the shared secret from the decrypted ciphertext using a private key of the KEM. In some embodiments, the hybrid PAKE further includes hashing the decapsulated shared secret with the password to establish the shared secret. In various embodiments, method 500 includes establishing a secure communication channel with the second device using the established shared secret and providing data to the second device via the established secure communication channel.
[0075]Turning now to
[0076]The hybrid PAKE begins in step 560 with deriving an initial secret (e.g., initial secret 222) using an elliptic-curve key exchange (ECKE) (e.g., ECKE 202) using a generator selected based on a password. In step 570, the hybrid PAKE includes decrypting (e.g., decryption 240), using the initial secret, a public key of a key encapsulation mechanism (KEM) for transmission to the second device. In some embodiments, the decrypting uses the initial secret and the password. In some embodiments, the decrypting includes a first decryption of the public key using the password and a second decryption of the public key using the initial secret. In some embodiments, the decrypting includes hashing the initial secret and the password to produce a hashed key and decrypting the public key using the hashed key. In step 580, the hybrid PAKE includes encapsulating (e.g., encapsulation 250) the public key using the KEM to produce a ciphertext and the shared secret. In step 590, the hybrid PAKE includes providing the ciphertext (e.g., ciphertext 252) from the first device to the second device for decapsulation. In some embodiments, the hybrid PAKE further includes hashing the produced shared secret with the password to establish the shared secret. In various embodiments, method 550 includes establishing a secure communication channel with the second device using the established shared secret and providing data to the second device via the established secure communication channel.
[0077]Turning now to
[0078]The APAKE begins in step 610 with retrieving a persisted public key (e.g., key 312) generated by a key encapsulation mechanism (KEM) based on a password. In step 620, the APAKE includes performing an encapsulation (e.g., encapsulation 320) using the persisted public key and the KEM to produce a ciphertext encapsulating the shared secret. In step 630, the APAKE includes providing the ciphertext to the second device. In various embodiments, the APAKE further includes decrypting a received ephemeral public key using the persisted public key, performing a second encapsulation (e.g., encapsulation 315) using the ephemeral public key and the KEM to produce a second ciphertext, and providing the second ciphertext (e.g., ciphertext 317) to the second device. In some embodiments, the APAKE further includes deriving the shared secret based on keys produced from the encapsulations using the persisted and ephemeral public keys. In various embodiments, the APAKE further includes deriving an initial secret using an elliptic-curve key exchange (ECKE) using a generator (e.g., generator 350) selected based on the persisted public key and encrypting, using the initial secret, an ephemeral public key of the KEM for transmission to the second device. In some embodiments, the APAKE further includes deriving the shared secret based on keys produced from the encapsulation using the persisted public key and a decapsulation using a ciphertext produced from an encapsulation using the ephemeral public key and the KEM. In various embodiments, method 600 includes establishing a secure communication channel with the second device using the established shared secret and providing data to the second device via the established secure communication channel.
[0079]Turning now to
[0080]The APAKA begins in step 660 with using a key encapsulation mechanism (KEM) to generate (e.g., via generator 310) a persisted private key (e.g., persisted KEM private key 314) based on a password. In step 670, the APAKA includes receiving a first ciphertext (e.g., ciphertext 322) produced from performing an encapsulation (e.g., encapsulation 320) using a persisted public key generated by the KEM based on the password. In step 680, the APAKA includes performs a decapsulation (e.g., decapsulation 330) using the first ciphertext and the persisted private key to produce the shared secret. In various embodiments, the APAKE further includes encrypting an ephemeral public key using the persisted public key for transmission to the second device and performing a second decapsulation (e.g., decapsulation 325) using a second ciphertext (e.g., ciphertext 317) produced from an encapsulation (e.g., encapsulation 315) using the ephemeral public key. In some embodiments, the APAKE further includes producing the shared secret based on keys produced from the decapsulations using the first and second ciphertexts. In various embodiments, the APAKE further includes deriving an initial secret using an elliptic-curve key exchange (ECKE) using a generator (e.g., generator 350) selected based on the persisted public key and decrypting, using the initial secret, an ephemeral public key of the KEM received from the second device. In some embodiments, the APAKE further includes deriving the shared secret based on keys produced from the decapsulation using the persisted private key and an encapsulation using the ephemeral public key and the KEM. In various embodiments, method 650 includes establishing a secure communication channel with the second device using the established shared secret and providing data to the second device via the established secure communication channel.
Exemplary Computer System
[0081]Turning now to
[0082]Fabric 710 may include various interconnects, buses, MUX's, controllers, etc., and may be configured to facilitate communication between various elements of device 700. In some embodiments, portions of fabric 710 may be configured to implement various different communication protocols. In other embodiments, fabric 710 may implement a single communication protocol and elements coupled to fabric 710 may convert from the single communication protocol to other communication protocols internally.
[0083]In the illustrated embodiment, compute complex 720 includes bus interface unit (BIU) 722, cache 724, and cores 726A-B. In various embodiments, compute complex 720 may include various numbers of processors, processor cores and caches. For example, compute complex 720 may include 1, 2, or 4 processor cores, or any other suitable number. In one embodiment, cache 724 is a set associative L2 cache. In some embodiments, cores 726A-B may include internal instruction and data caches. In some embodiments, a coherency unit (not shown) in fabric 710, cache 724, or elsewhere in device 700 may be configured to maintain coherency between various caches of device 700. BIU 722 may be configured to manage communication between compute complex 720 and other elements of device 700. Processor cores such as cores 726A-B may be configured to execute instructions of a particular instruction set architecture (ISA) which may include operating system instructions and user application instructions. These instructions may be stored in computer readable medium such as a memory coupled to memory controller 730 discussed below.
[0084]As used herein, the term “coupled to” may indicate one or more connections between elements, and a coupling may include intervening elements. For example, in
[0085]Cache/memory controller 730 may be configured to manage transfer of data between fabric 710 and one or more caches and memories. For example, cache/memory controller 730 may be coupled to an L3 cache, which may in turn be coupled to a system memory. In other embodiments, cache/memory controller 730 may be directly coupled to a memory. In some embodiments, cache/memory controller 730 may include one or more internal caches. Memory coupled to controller 730 may be any type of volatile memory, such as dynamic random access memory (DRAM), synchronous DRAM (SDRAM), double data rate (DDR, DDR2, DDR3, etc.) SDRAM (including mobile versions of the SDRAMs such as mDDR3, etc., and/or low power versions of the SDRAMs such as LPDDR4, etc.), RAMBUS DRAM (RDRAM), static RAM (SRAM), etc. One or more memory devices may be coupled onto a circuit board to form memory modules such as single inline memory modules (SIMMs), dual inline memory modules (DIMMs), etc. Alternatively, the devices may be mounted with an integrated circuit in a chip-on-chip configuration, a package-on-package configuration, or a multi-chip module configuration. Memory coupled to controller 730 may be any type of non-volatile memory such as NAND flash memory, NOR flash memory, nano RAM (NRAM), magneto-resistive RAM (MRAM), phase change RAM (PRAM), Racetrack memory, Memristor memory, etc. As noted above, this memory may store program instructions, such as a cryptographic module 110, executable by compute complex 720 to cause device 700 to perform functionality described herein.
[0086]Graphics unit 740 may include one or more processors, e.g., one or more graphics processing units (GPUs). Graphics unit 740 may receive graphics-oriented instructions, such as OPENGL®, Metal®, or DIRECT3D® instructions, for example. Graphics unit 740 may execute specialized GPU instructions or perform other operations based on the received graphics-oriented instructions. Graphics unit 740 may generally be configured to process large blocks of data in parallel and may build images in a frame buffer for output to a display, which may be included in the device or may be a separate device. Graphics unit 740 may include transform, lighting, triangle, and rendering engines in one or more graphics processing pipelines. Graphics unit 740 may output pixel information for display images. Graphics unit 740, in various embodiments, may include programmable shader circuitry which may include highly parallel execution cores configured to execute graphics programs, which may include pixel tasks, vertex tasks, and compute tasks (which may or may not be graphics-related).
[0087]Display unit 750 may be configured to read data from a frame buffer and provide a stream of pixel values for display. Display unit 750 may be configured as a display pipeline in some embodiments. Additionally, display unit 750 may be configured to blend multiple frames to produce an output frame. Further, display unit 750 may include one or more interfaces (e.g., MIPI® or embedded display port (eDP)) for coupling to a user display (e.g., a touchscreen or an external display).
[0088]I/O bridge 760 may include various elements configured to implement: universal serial bus (USB) communications, security, audio, and low-power always-on functionality, for example. I/O bridge 760 may also include interfaces such as pulse-width modulation (PWM), general-purpose input/output (GPIO), serial peripheral interface (SPI), and inter-integrated circuit (I2C), for example. Various types of peripherals and devices may be coupled to device 700 via I/O bridge 760.
[0089]In some embodiments, device 700 includes network interface circuitry (not explicitly shown), which may be connected to fabric 710 or I/O bridge 760. The network interface circuitry may be configured to communicate via various networks, which may be wired, wireless, or both. For example, the network interface circuitry may be configured to communicate via a wired local area network, a wireless local area network (e.g., via Wi-Fi®), or a wide area network (e.g., the Internet or a virtual private network). In some embodiments, the network interface circuitry is configured to communicate via one or more cellular networks that use one or more radio access technologies. In some embodiments, the network interface circuitry is configured to communicate using device-to-device communications (e.g., Bluetooth® or Wi-Fi® Direct), etc. In various embodiments, the network interface circuitry may provide device 700 with connectivity to various types of other devices and networks.
EXAMPLE APPLICATIONS
[0090]Turning now to
[0091]Similarly, disclosed elements may be utilized in a wearable device 860, such as a smartwatch or a health-monitoring device. Smartwatches, in many embodiments, may implement a variety of different functions—for example, access to email, cellular service, calendar, health monitoring, etc. A wearable device may also be designed solely to perform health-monitoring functions, such as monitoring a user's vital signs, performing epidemiological functions such as contact tracing, providing communication to an emergency medical service, etc. Other types of devices are also contemplated, including devices worn on the neck, devices implantable in the human body, glasses or a helmet designed to provide computer-generated reality experiences such as those based on augmented and/or virtual reality, etc.
[0092]System or device 800 may also be used in various other contexts. For example, system or device 800 may be utilized in the context of a server computer system, such as a dedicated server or on shared hardware that implements a cloud-based service 870. Still further, system or device 800 may be implemented in a wide range of specialized everyday devices, including devices 880 commonly found in the home such as refrigerators, thermostats, security cameras, etc. The interconnection of such devices is often referred to as the “Internet of Things” (IoT). Elements may also be implemented in various modes of transportation. For example, system or device 800 could be employed in the control systems, guidance systems, entertainment systems, etc. of various types of vehicles 890.
[0093]The applications illustrated in
[0094]The present disclosure includes references to “an embodiment” or groups of “embodiments” (e.g., “some embodiments” or “various embodiments”). Embodiments are different implementations or instances of the disclosed concepts. References to “an embodiment,” “one embodiment,” “a particular embodiment,” and the like do not necessarily refer to the same embodiment. A large number of possible embodiments are contemplated, including those specifically disclosed, as well as modifications or alternatives that fall within the spirit or scope of the disclosure.
[0095]This disclosure may discuss potential advantages that may arise from the disclosed embodiments. Not all implementations of these embodiments will necessarily manifest any or all of the potential advantages. Whether an advantage is realized for a particular implementation depends on many factors, some of which are outside the scope of this disclosure. In fact, there are a number of reasons why an implementation that falls within the scope of the claims might not exhibit some or all of any disclosed advantages. For example, a particular implementation might include other circuitry outside the scope of the disclosure that, in conjunction with one of the disclosed embodiments, negates or diminishes one or more of the disclosed advantages. Furthermore, suboptimal design execution of a particular implementation (e.g., implementation techniques or tools) could also negate or diminish disclosed advantages. Even assuming a skilled implementation, realization of advantages may still depend upon other factors such as the environmental circumstances in which the implementation is deployed. For example, inputs supplied to a particular implementation may prevent one or more problems addressed in this disclosure from arising on a particular occasion, with the result that the benefit of its solution may not be realized. Given the existence of possible factors external to this disclosure, it is expressly intended that any potential advantages described herein are not to be construed as claim limitations that must be met to demonstrate infringement. Rather, identification of such potential advantages is intended to illustrate the type(s) of improvement available to designers having the benefit of this disclosure. That such advantages are described permissively (e.g., stating that a particular advantage “may arise”) is not intended to convey doubt about whether such advantages can in fact be realized, but rather to recognize the technical reality that realization of such advantages often depends on additional factors.
[0096]Unless stated otherwise, embodiments are non-limiting. That is, the disclosed embodiments are not intended to limit the scope of claims that are drafted based on this disclosure, even where only a single example is described with respect to a particular feature. The disclosed embodiments are intended to be illustrative rather than restrictive, absent any statements in the disclosure to the contrary. The application is thus intended to permit claims covering disclosed embodiments, as well as such alternatives, modifications, and equivalents that would be apparent to a person skilled in the art having the benefit of this disclosure.
[0097]For example, features in this application may be combined in any suitable manner. Accordingly, new claims may be formulated during prosecution of this application (or an application claiming priority thereto) to any such combination of features. In particular, with reference to the appended claims, features from dependent claims may be combined with those of other dependent claims where appropriate, including claims that depend from other independent claims. Similarly, features from respective independent claims may be combined where appropriate.
[0098]Accordingly, while the appended dependent claims may be drafted such that each depends on a single other claim, additional dependencies are also contemplated. Any combinations of features in the dependent that are consistent with this disclosure are contemplated and may be claimed in this or another application. In short, combinations are not limited to those specifically enumerated in the appended claims.
[0099]Where appropriate, it is also contemplated that claims drafted in one format or statutory type (e.g., apparatus) are intended to support corresponding claims of another format or statutory type (e.g., method).
[0100]Because this disclosure is a legal document, various terms and phrases may be subject to administrative and judicial interpretation. Public notice is hereby given that the following paragraphs, as well as definitions provided throughout the disclosure, are to be used in determining how to interpret claims that are drafted based on this disclosure.
[0101]References to a singular form of an item (i.e., a noun or noun phrase preceded by “a,” “an,” or “the”) are, unless context clearly dictates otherwise, intended to mean “one or more.” Reference to “an item” in a claim thus does not, without accompanying context, preclude additional instances of the item. A “plurality” of items refers to a set of two or more of the items.
[0102]The word “may” is used herein in a permissive sense (i.e., having the potential to, being able to) and not in a mandatory sense (i.e., must).
[0103]The terms “comprising” and “including,” and forms thereof, are open-ended and mean “including, but not limited to.”
[0104]When the term “or” is used in this disclosure with respect to a list of options, it will generally be understood to be used in the inclusive sense unless the context provides otherwise. Thus, a recitation of “x or y” is equivalent to “x or y, or both,” and thus covers 1) x but not y, 2) y but not x, and 3) both x and y. On the other hand, a phrase such as “either x or y, but not both” makes clear that “or” is being used in the exclusive sense.
[0105]A recitation of “w, x, y, or z, or any combination thereof” or “at least one of . . . w, x, y, and z” is intended to cover all possibilities involving a single element up to the total number of elements in the set. For example, given the set [w, x, y, z], these phrasings cover any single element of the set (e.g., w but not x, y, or z), any two elements (e.g., w and x, but not y or z), any three elements (e.g., w, x, and y, but not z), and all four elements. The phrase “at least one of . . . W, x, y, and z” thus refers to at least one element of the set [w, x, y, z], thereby covering all possible combinations in this list of elements. This phrase is not to be interpreted to require that there is at least one instance of w, at least one instance of x, at least one instance of y, and at least one instance of z.
[0106]Various “labels” may precede nouns or noun phrases in this disclosure. Unless context provides otherwise, different labels used for a feature (e.g., “first circuit,” “second circuit,” “particular circuit,” “given circuit,” etc.) refer to different instances of the feature. Additionally, the labels “first,” “second,” and “third” when applied to a feature do not imply any type of ordering (e.g., spatial, temporal, logical, etc.), unless stated otherwise.
[0107]The phrase “based on” or is used to describe one or more factors that affect a determination. This term does not foreclose the possibility that additional factors may affect the determination. That is, a determination may be solely based on specified factors or based on the specified factors as well as other, unspecified factors. Consider the phrase “determine A based on B.” This phrase specifies that B is a factor that is used to determine A or that affects the determination of A. This phrase does not foreclose that the determination of A may also be based on some other factor, such as C. This phrase is also intended to cover an embodiment in which A is determined based solely on B. As used herein, the phrase “based on” is synonymous with the phrase “based at least in part on.”
[0108]The phrases “in response to” and “responsive to” describe one or more factors that trigger an effect. This phrase does not foreclose the possibility that additional factors may affect or otherwise trigger the effect, either jointly with the specified factors or independent from the specified factors. That is, an effect may be solely in response to those factors, or may be in response to the specified factors as well as other, unspecified factors. Consider the phrase “perform A in response to B.” This phrase specifies that B is a factor that triggers the performance of A, or that triggers a particular result for A. This phrase does not foreclose that performing A may also be in response to some other factor, such as C. This phrase also does not foreclose that performing A may be jointly in response to B and C. This phrase is also intended to cover an embodiment in which A is performed solely in response to B. As used herein, the phrase “responsive to” is synonymous with the phrase “responsive at least in part to.” Similarly, the phrase “in response to” is synonymous with the phrase “at least in part in response to.”
[0109]Within this disclosure, different entities (which may variously be referred to as “units,” “circuits,” other components, etc.) may be described or claimed as “configured” to perform one or more tasks or operations. This formulation—[entity] configured to [perform one or more tasks]—is used herein to refer to structure (i.e., something physical). More specifically, this formulation is used to indicate that this structure is arranged to perform the one or more tasks during operation. A structure can be said to be “configured to” perform some task even if the structure is not currently being operated. Thus, an entity described or recited as being “configured to” perform some task refers to something physical, such as a device, circuit, a system having a processor unit and a memory storing program instructions executable to implement the task, etc. This phrase is not used herein to refer to something intangible.
[0110]In some cases, various units/circuits/components may be described herein as performing a set of tasks or operations. It is understood that those entities are “configured to” perform those tasks/operations, even if not specifically noted.
[0111]The term “configured to” is not intended to mean “configurable to.” An unprogrammed FPGA, for example, would not be considered to be “configured to” perform a particular function. This unprogrammed FPGA may be “configurable to” perform that function, however. After appropriate programming, the FPGA may then be said to be “configured to” perform the particular function.
[0112]For purposes of United States patent applications based on this disclosure, reciting in a claim that a structure is “configured to” perform one or more tasks is expressly intended not to invoke 35 U.S.C. § 112(f) for that claim element. Should Applicant wish to invoke Section 112(f) during prosecution of a United States patent application based on this disclosure, it will recite claim elements using the “means for” [performing a function] construct.
[0113]Different “circuits” may be described in this disclosure. These circuits or “circuitry” constitute hardware that includes various types of circuit elements, such as combinatorial logic, clocked storage devices (e.g., flip-flops, registers, latches, etc.), finite state machines, memory (e.g., random-access memory, embedded dynamic random-access memory), programmable logic arrays, and so on. Circuitry may be custom designed, or taken from standard libraries. In various implementations, circuitry can, as appropriate, include digital components, analog components, or a combination of both. Certain types of circuits may be commonly referred to as “units” (e.g., a decode unit, an arithmetic logic unit (ALU), functional unit, memory management unit (MMU), etc.). Such units also refer to circuits or circuitry.
[0114]The disclosed circuits/units/components and other elements illustrated in the drawings and described herein thus include hardware elements such as those described in the preceding paragraph. In many instances, the internal arrangement of hardware elements within a particular circuit may be specified by describing the function of that circuit. For example, a particular “decode unit” may be described as performing the function of “processing an opcode of an instruction and routing that instruction to one or more of a plurality of functional units,” which means that the decode unit is “configured to” perform this function. This specification of function is sufficient, to those skilled in the computer arts, to connote a set of possible structures for the circuit.
Claims
What is claimed is:
1. A method, comprising:
establishing, by a first device, a shared secret for secure communication between a first device and a second device using a hybrid password-authenticated key exchange (PAKE), wherein the hybrid PAKE includes:
deriving an initial secret using an elliptic-curve key exchange (ECKE) using a generator selected based on a password;
encrypting, using the initial secret, a public key of a key encapsulation mechanism (KEM) for transmission to the second device;
decrypting, using the initial secret, a ciphertext received from the second device encapsulating the shared secret using the public key; and
decapsulating the shared secret from the decrypted ciphertext using a private key of the KEM;
establishing, by the first device, a secure communication channel with the second device using the established shared secret; and
providing, by the first device, data to the second device via the established secure communication channel.
2. The method of
3. The method of
a first encryption of the public key using the password; and
a second encryption of the public key using the initial secret.
4. The method of
hashing the initial secret and the password to produce a hashed key; and
encrypting, via one-time-pad (OTP), the public key using the hashed key.
5. The method of
hashing the decapsulated shared secret with the password to establish the shared secret.
6. The method of
7. The method of
8. A non-transitory computer readable medium having program instructions stored therein that are executable by a first device to perform operations comprising:
establishing a shared secret for secure communication between the first device and a second device using a hybrid password-authenticated key exchange (PAKE), wherein the hybrid PAKE includes:
deriving an initial secret using an elliptic-curve key exchange (ECKE) using a generator selected based on a password;
encrypting, using the initial secret, a public key of a key encapsulation mechanism (KEM) for transmission to the second device;
decrypting, using the initial secret, a ciphertext received from the second device encapsulating the shared secret using the public key; and
decapsulating the shared secret from the decrypted ciphertext using a private key of the KEM;
establishing a secure communication channel with the second device using the established shared secret; and
providing data to the second device via the established secure communication channel.
9. The computer readable medium of
10. The computer readable medium of
a first encryption of the public key using the password; and
a second encryption of the public key using the initial secret.
11. The computer readable medium of
hashing the initial secret and the password to produce a hashed key; and
encrypting, via one-time-pad (OTP), the public key using the hashed key.
12. The computer readable medium of
hashing the initial secret and the password to produce a hashed key; and
encrypting, via one-time-pad (OTP), the public key using the hashed key.
13. The computer readable medium of
14. The computer readable medium of
15. A first device, comprising:
one or more processors; and
memory having program instructions stored therein that are executable by the one or more processors to cause the device to perform operations including:
establishing a shared secret for secure communication between the first device and a second device using a hybrid password-authenticated key exchange (PAKE), wherein the hybrid PAKE includes:
deriving an initial secret using an elliptic-curve key exchange (ECKE) using a generator selected based on a password;
encrypting, using the initial secret, a public key of a key encapsulation mechanism (KEM) for transmission to the second device;
decrypting, using the initial secret, a ciphertext received from the second device encapsulating the shared secret using the public key; and
decapsulating the shared secret from the decrypted ciphertext using a private key of the KEM;
establishing a secure communication channel with the second device using the established shared secret; and
providing data to the second device via the established secure communication channel.
16. The first device of
17. The first device of
a first encryption of the public key using the password; and
a second encryption of the public key using the initial secret.
18. The first device of
hashing the initial secret and the password to produce a hashed key; and
encrypting, via one-time-pad (OTP), the public key using the hashed key.
19. The first device of
hashing the initial secret and the password to produce a hashed key; and
encrypting, via one-time-pad (OTP), the public key using the hashed key.
20. The first device of